‘There is much misalignment between operational and IT systems’

Digital Creed attended the Gartner Security and Risk Management Summit 2016 in Mumbai, and caught up with Ganesh Ramamoorthy, Research VP, Gartner.

At the summit, Ganesh made presentations on the approaches to securing IoT.

We asked Ganesh for an update on the state of IoT projects in India, and how operational technology is changing the paradigm of trust and security in business. With more devices and things connecting to business and industrial networks, it is crucial for Information Technology to be aligned with Operational Technology. And Ganesh tells us the approach that organizations must follow.

And at the end of this interview, Ganesh indirectly explains why Tesla cars crash in autopilot mode.

Brian Pereira: What kind of IoT projects do you see happening in India? Can you describe some of the bigger ones? To what level has business accepted and implemented IoT and for what kind of applications?

Ganesh Ramamoorthy, Research VP, Gartner

Ganesh Ramamoorthy: We are not seeing any large-scale IoT implementations or projects in India at the moment. There is no such organization-wide project. But at this point of time there are small projects and there are two reasons for this:

Firstly, budgets need to be defined, and there are no benchmarks defined for these IoT projects. So these small projects are a means to help organizations identify what kind of budgets they would need for IoT projects. The funding for these small projects is coming from the CIO’s pocket or from the business unit that needs this project.

The second reason for small projects is they offer a means of identifying the challenges. When companies implement IoT, they see this angle of mobility coming in, because information is going to be accessed from mobile phones. And then they discover that their platform on the operations side is inadequate to push information to mobiles. There’s no MDM (mobile device management) on the operations side.

So when people start these small projects they realize that there is so much misalignment between the OT (operational technology) and IT systems.

BP: So what should organizations be doing for this alignment?

GR: First, they must do a complete audit of their OT systems. They need to understand their hardware and software infrastructure in their OT. Are these proprietary systems or commercially available ones? When was the software last updated or patched? That kind of history is not available on the OT side. It may exist, but it is lying with some business unit and inaccessible to the IT side.

Because of this misalignment the actual implementation takes much longer. The alignment must be done together, by the business unit and the IT team.

BP: With the addition of ‘things’ to business networks, the environment is getting more complex. So the definition of trust changes because it is no longer just about people connecting to networks. In this new scenario how does an organization ensure trust and security?

GR: The trust between a person and his personal device is quite implicit. The device would have a fingerprint sensor to authenticate the user. But the critical thing is to authenticate the devices in the IoT environment. They must be authenticated to perform certain functions. That’s where the trust comes in. Once you trust you can authorize.

But the enabling security solutions for this can’t be embedded in the IoT devices, because they are resource constrained (memory, power etc).

However, in future, we will see some form of trusted execution environments. They will store an ID or a key and the exchange of keys between devices will perform the authentication. Most of the ARM microcontrollers already include these trusted execution environments.

Moving forward we will see these IDs getting stored at the hardware level itself, and not in a separate partition created by these trusted execution zones. All the semi-conductor companies (NXP, ARM, Intel, Freescale etc) are already working on this.

BP: Now we are getting into Operational Technology, so people’s safety is important. What role does industrial safety play in IoT? What kind of safety mechanisms will emerge?

GR: When devices are communicating autonomously, and if it is a mission critical system, then human safety is critical. Imagine if an IoT device decided to open a valve and release a hazardous gas without any warning. So the safety of the people working in that industrial environment becomes important. Secondly, you have to consider the impact on adjacent systems. And it also creates some business risk for the environment.

Although there is legislation behind industrial safety, this is going to be further amplified because of IoT. Traditionally, we’ve had humans interacting with, and controlling industrial systems and machines. But now it is going to be a whole lot of IoT devices and machine-to-machine communication. So in future, systems will become more automated and employ machine learning too.

BP: Recall the recent Tesla car crashes when drivers enabled the autopilot mode. After such incidents our confidence in automation and autopilot wanes. Why should we continue to trust such systems?

GR: Tesla gives you the autopilot feature with a disclaimer that says: ‘Please don’t take your hands off the steering wheel’. Our ability to trust and rely on these systems is directly proportional to the resolution of their sensors. The closeness of monitoring is the resolution of the sensors. So the question is how closely can they monitor? We are already seeing 32-bit analog to digital converters coming in. These advances will improve the resolution of the sensors. Resolution is important for mission-critical systems.

Brian Pereira is an Indian journalist based in Mumbai. He has 25 years of technology journalism experience, and he's well known in the Indian IT industry. He is the former Editor of CHIP and InformationWeek magazines in India and has written technology articles for India's leading newspapers groups such as The Times of India and Indian Express Newspapers. Brian also writes on Aviation, startups and covers topics directed at small and medium businesses.
He also has event experience and once put together the conference program for CeBIT and INTEROP events in India.
Email: brian@digitalcreed.in
Twitter: @brian9p
Linkedin: https://in.linkedin.com/in/pereirabrian